Solved: Re: Field extraction from information in field=sou...

zindain24 · ‎08-07-2013

My webserver logs are sent to my indexers through a Universal Forwarder.

*Snippet from inputs.conf on the Universal Forwarder

[monitor:///path/to/apache/2.2/web/.../logs/*access_log]

disabled = false

sourcetype = access_combined

index = internet

followTail=0

With this configuration, we properly set the following fields
index = internet,
host = unixservername,
sourcetype = access_combined

The problem is, we need a field with the webserver name in segment 6 of the source:
/path/to/apache/2.2/web/.../logs/*access_log

We tried adding host_segment = 6 to the forwarder stanzas, but then we lose our true "host = unixservername" which is also necessary. Unfortunately, this information is NOT available anywhere but the source field.

So....

We can easily create a search time |rex for Splunk to process to pull the information:
|rex field=source "\/path\/to\/apache\/[0-9].[0-9]\/\w+\/(?.*?)\/"

This works well... however, I don't want my users to have to run this every time they search.

I would like the ability to add this as a Index time or Search time extraction through props and transforms -- preferably at the forwarder or indexer level. Any suggestions? Thanks for your help, ideas, and input! I'm stuck...

Jeremy

Ayn · ‎08-07-2013

Just set up a field extraction as usual - are you familiar with how to do this in props.conf / transforms.conf? If so, it's just like a regular field extraction but you specify SOURCE_KEY = (yourfieldhere) (for REPORT style extractions that reference a transforms.conf entry) or EXTRACT = <yourregex> in <yourfieldhere> (for EXTRACT style extractions directly in props.conf).

So for the first case it'd be something like...props.conf:

[yoursourcetype]
REPORT-getfieldfromsource = getfieldfromsource

transforms.conf:

[getfieldfromsource]
SOURCE_KEY = source
REGEX = /path/to/apache/[0-9]\.[0-9]/\w+/(.*?)/
FORMAT = webserver::$1

Or, in the second case, just throw your rex statement in almost unaltered into an EXTRACT extraction in props.conf:

[yoursourcetype]
EXTRACT-getfieldfromsource = /path/to/apache/[0-9]\.[0-9]/\w+/(?<webserver>.*?)/ in source

View solution in original post

Ayn · ‎08-07-2013

Just set up a field extraction as usual - are you familiar with how to do this in props.conf / transforms.conf? If so, it's just like a regular field extraction but you specify SOURCE_KEY = (yourfieldhere) (for REPORT style extractions that reference a transforms.conf entry) or EXTRACT = <yourregex> in <yourfieldhere> (for EXTRACT style extractions directly in props.conf).

So for the first case it'd be something like...props.conf:

[yoursourcetype]
REPORT-getfieldfromsource = getfieldfromsource

transforms.conf:

[getfieldfromsource]
SOURCE_KEY = source
REGEX = /path/to/apache/[0-9]\.[0-9]/\w+/(.*?)/
FORMAT = webserver::$1

Or, in the second case, just throw your rex statement in almost unaltered into an EXTRACT extraction in props.conf:

[yoursourcetype]
EXTRACT-getfieldfromsource = /path/to/apache/[0-9]\.[0-9]/\w+/(?<webserver>.*?)/ in source

zindain24 · ‎08-07-2013

Fantastic Ayn, Thank you for the detailed response!

Field extraction from information in field=source

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation